48-21
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter48 Configuring the Cisco Phone Proxy
Configuring the Phone Proxy
What to Do Next
Once you have created the TLS proxy instance, create the phone proxy instance. See Creating the Phone
Proxy Instance, page 48-23.
Creating the TLS Proxy for a Mixed-mode Cisco UCM Cluster
For mixed mode clusters, there might be IP phones that are already configured as encrypted so it requires
TLS to the Cisco UCM. You must configure the LDC issuer for the TLS proxy.
Command Purpose
Step1 hostname(config)# crypto key generate rsa label
key-pair-label modulus size
Examples:
hostname(config)# crypto key generate rsa label
ldc_signer_key modulus 1024
hostname(config)# crypto key generate rsa label
phone_common modulus 1024
Creates the necessary RSA key pairs.
Where the key-pair-label is the LDC signer key
and the key for the IP phones.
Step2 hostname(config)# crypto ca trustpoint
trustpoint_name
Example:
hostname(config)# crypto ca trustpoint ldc_server
Creates an internal local CA to sign the LDC for
Cisco IP phones.
Where the trustpoint_name is for the LDC.
Step3 hostname(config-ca-trustpoint)# enrollment self Generates a self-signed certificate.
Step4 hostname(config-ca-trustpoint)# proxy-ldc-issuer Defines the local CA role for the trustpoint to issue
dynamic certificates for the TLS proxy.
Step5 hostname(config-ca-trustpoint)# fqdn fqdn
Example:
hostname(config-ca-trustpoint)# fqdn
my_ldc_ca.example.com
Includes the indicated FQDN in the Subject
Alternative Name extension of the certificate during
enrollment.
Where the fqdn is for the LDC.
Step6 hostname(config-ca-trustpoint)# subject-name
X.500_name
Example:
hostname(config-ca-trustpoint)# subject-name
cn=FW_LDC_SIGNER_172_23_45_200
Includes the indicated subject DN in the certificate
during enrollment
Where the X.500_name is for the LDC.
Use commas to separate attribute-value pairs. Insert
quotation marks around any value that contains
commas or spaces.
For example:
cn=crl,ou=certs,o="cisco systems, inc.",c=US
The maximum length is 500 characters.
Step7 hostname(config-ca-trustpoint)# keypair keypair
Example:
hostname(config-ca-trustpoint)# keypair
ldc_signer_key
Specifies the key pair whose public key is to be
certified.
Where the keypair is for the LDC.
Step8 hostname(config)# crypto ca enroll ldc_server
Example:
hostname(config)# crypto ca enroll ldc_server
Starts the enrollment process with the CA.
Step9 hostname(config)# tls-proxy proxy_name
Example:
tls-proxy mytls
Creates the TLS proxy instance.